On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Karásek wrote:
> Hi, 
> 
> thank you for help. 
> 
> This is my sssd.conf from server : 
> 
> [domain/vs.example.cz] 
> debug_level = 7 
> cache_credentials = True 
> krb5_store_password_if_offline = True 
> ipa_domain = vs.example.cz 
> id_provider = ipa 
> auth_provider = ipa 
> access_provider = ipa 
> ipa_hostname = tidmipa02.vs.example.cz 
> chpass_provider = ipa 
> ipa_server = tidmipa02.vs.example.cz 
> ipa_server_mode = True 
> ldap_tls_cacert = /etc/ipa/ca.crt 
> [sssd] 
> services = nss, sudo, pam, ssh 
> config_file_version = 2 
> 
> domains = vs.example.cz 
> [nss] 
> debug_level = 7 
> memcache_timeout = 600 
> homedir_substring = /home 
> 
> [pam] 
> debug_level = 7 
> [sudo] 
> debug_level = 7 
> [autofs] 
> debug_level = 7 
> [ssh] 
> debug_level = 7 
> [pac] 
> debug_level = 7 
> [ifp] 
> debug_level = 7 
> 
> 
> I can resolve all groups from client : 
> 
> SERVER: id tst99...@cen.example.cz 
> uid=20019(tst99...@cen.example.cz) gid=5001(csunix) 
> groups=5001(csunix),930000008(final_test_group) 
> 
> CLIENT: 
> getent group 5001 
> csunix:x:5001: 
> 
> getent group 930000008 
> final_test_group:*:930000008: 
> 
> getent group final_test_gr...@vs.example.cz 
> final_test_group:*:930000008: 
> 
> getent group csu...@cen.example.cz 
> No reply - can't resolve that group from client. 
> 
> 
...

> 
> Also I find out that in AD there are multiple objects with gidNumber=5001 

This might be the issue each gidNumber (and each uidNumber as well)
should be unique in the whole environment. Please check with the AD
administrators why it was done this way and if it can be changed.

HTH

bye,
Sumit

> 
> ldapsearch .... 
> (&(gidNumber=5001)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))
>  > /tmp/csunix_dump 
> cat /tmp/csunix_dump 
> dn: CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_0 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_1 
> .... 
> gidNumber: 5001 
> 
> dn: CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_2 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_3 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_4 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_5 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix 
> ... 
> gidNumber: 5001 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to